Despite recent scare stories, SMS pass codes remain the safest form of two-factor authentication.
Rob Malcolm, VP of marketing and online sales at CLX recently spoke to MEF’s Tim Green about the issues and benefits of two-factor authentication for MEF’s Future of Messaging Guide which can be downloaded here for free.
For years, two-factor authentication (2FA) was regarded as an essential weapon in the fight against online fraud. Again and again, criminals easily bypassed passwords and PINs. Far safer then to have users enter proof that they own the device registered to the service – like a smartphone.
Adding this secondary line of protection was a no-brainer. And the best way to do it seemed to be with a one-time passcode sent by SMS.
But in 2016, something happened. Headlines declared the age of SMS 2FA to be over. It’s insecure, they said. They were reporting an announcement made by the National Institute of Science and Technology (NIST) in the US. It had found flaws in 2FA via SMS messages, and said it was considering these risks and may “deprecate” SMS in future standards.
The NIST was concerned that hackers can exploit flaws in the SS7 protocol that operators use to enable roaming on their networks. In effect, attackers can fool the phone network into thinking a device is on another network allowing for communications to be intercepted by the rogue network .
And it was right. Hackers can exploit this loophole. But according to Rob Malcolm, VP Marketing at CLX, the risk has been hugely over-exaggerated. He says: “Really, the only people who could repeatedly exploit this flaw at scale would be rogue employees inside of a GSM network. It’s the equivalent of a Facebook staffer accessing your Facebook account. So, yes, it is a risk to be taken seriously, but I think it’s been exaggerated.”
Malcolm adds that the reaction against SMS ignores the fact that it is generally safe and – most important – it is widely used. “We have to be realistic and offer the best possible security that people will actually adopt,” he says. “There’s always a balance between security and ease of use. In this respect 2FA with SMS is the best option we have. It’s fast and people know how to use it. We should think hard about dismissing it when it is so popular. We can’t have users going back to just username and password – which they will if we take 2FA with SMS away.”
Malcolm concluded “We believe that the rationale for deprecating SMS for OOB authentication due to these vulnerabilities would be akin to stating we should deprecate TCP/IP because of a vulnerability in a firewall or in SSL. Clearly the solution is to fix the vulnerabilities rather than to prevent the use of SMS for 2FA.“
Malcolm has observed that as much as 20 per cent of all A2P (application to person) messaging on his network comes from authentication. Banks, social networks and others have clearly found the process effective. He adds that many operators are now installing SS7 firewalls to mitigate against the above risk.
While it’s always possible to close loopholes in a system, it’s much harder to reduce people’s tendency to be ‘taken in’. The sad fact is that social engineering – and not technical hacks – is behind most attacks. In the case of 2FA with SMS, it’s criminals persuading a network call centre agent to deactivate the original SIM, and provide a new one. Or phishing users with a spoof text message or email.
Malcolm laments that these attacks exist, but believes SMS 2FA can help. He says: “99 per cent of attacks are by social engineering rather than any kind of technical hack. I’d argue that 2FA can help to reduce these attacks, because it makes them so much more complex than merely trying to gain someone’s username or password.”
The Future of Messaging Guide explores the uses cases, platforms and technologies that are changing the landscape of messaging globally. From A2P to OTT, chat bots to smart machines, we explore how the world’s most powerful medium is shaping up for tomorrow.
The guide features over 25 cross-sector case studies and exclusive interviews that examine the power of messaging in all its forms from the humble SMS and chat apps to emerging platforms and explores what’s next for messaging.
Download the Guide here for free.